Users of the WordPress blogging platform need to beware of a worm making the rounds of Web sites, if they have not updated their software in the last month, the developers of the popular blogging software said over the weekend.

The malicious program affects blogs that use WordPress, and which have not installed either of the two latest updates, released on August 3 and August 12. The worm attacks Web sites by registering itself as a user, exploiting the flaw to make itself an admin, hides itself, and then updates posts and comments with spam and links to malware, the WordPress developers said.

“The tactics are new, but the strategy is not,” the WordPress project stated on its official blog. “Where this particular worm messes up is in the ‘clean up’ phase: It doesn’t hide itself well, and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

Increasingly, cybercriminals are relying on legitimate Web sites as a way to compromise their victims’ systems. They are finding fertile ground for their malware: A survey published in 2007 found that only one in 50 blogs were running the latest version of WordPress.

The blogging software developers argued that patching is the easiest way for blog administrators to avoid the time-consuming problem of cleaning up a hacked blog.

“Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades,” the developers stated in the blog post. “Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery.”